From owner-freebsd-security Sat Sep 8 18:54:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-54.dsl.lsan03.pacbell.net [63.207.60.54]) by hub.freebsd.org (Postfix) with ESMTP id B105C37B405; Sat, 8 Sep 2001 18:54:16 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id C3D5866D0A; Sat, 8 Sep 2001 18:54:15 -0700 (PDT) Date: Sat, 8 Sep 2001 18:54:15 -0700 From: Kris Kennaway To: "Todd C. Miller" Cc: Kris Kennaway , "Andrey A. Chernov" , Matt Dillon , Jordan Hubbard , security@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: Fwd: Multiple vendor 'Taylor UUCP' problems. Message-ID: <20010908185415.A5619@xor.obsecurity.org> References: <5.1.0.14.0.20010908153417.0286b4b8@192.168.0.12> <200109082103.f88L3fK29117@earth.backplane.com> <20010908154617.A73143@xor.obsecurity.org> <20010908170257.A82082@xor.obsecurity.org> <20010908174304.A88816@xor.obsecurity.org> <20010909045226.A33654@nagual.pp.ru> <20010908180848.A94567@xor.obsecurity.org> <200109090120.f891KvM14677@xerxes.courtesan.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="WIyZ46R2i8wDzkSu" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200109090120.f891KvM14677@xerxes.courtesan.com>; from Todd.Miller@courtesan.com on Sat, Sep 08, 2001 at 07:20:56PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --WIyZ46R2i8wDzkSu Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Sep 08, 2001 at 07:20:56PM -0600, Todd C. Miller wrote: > In message <20010908180848.A94567@xor.obsecurity.org> > so spake Kris Kennaway (kris): >=20 > > The vulnerability involves uucp being made to run arbitrary commands > > as the uucp user through specifying a custom configuration file - see > > bugtraq. There may be other problems resulting from user-specified > > configuration files. I don't have time to go through the code and fix > > up the revocation of privileges right now..in the meantime, this > > prevents the root exploit where a user replaces a uucp-owned binary > > like uustat, which is called daily by /etc/periodic. >=20 > Is there really any reason to run uustat as root? Why not just run > it as user uucp via su? For that matter, running non-root owned > executables from daily seems like a really bad idea. Yeah, thats probably a good change to make. However the uucp vulnerability still lets e.g. arbitrary users read/modify uucp spool data, create files, access the uucp:dialer devices, etc. Kris --WIyZ46R2i8wDzkSu Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7msvHWry0BWjoQKURAgOsAKDUaW67EnSmSBPj/wNhDf1GTr3YJgCfUhp2 l39v0hcNcqdhOFtbvN3UZnE= =m8Gv -----END PGP SIGNATURE----- --WIyZ46R2i8wDzkSu-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message